Fix magic link delivery errors and resend cooldown UX

[DongDuong2001]

Summary

This PR hardens the magic-link sign-in/sign-up flow so users no longer hit confusing 502 Bad Gateway responses or repeatedly trigger Supabase's per-user email interval.

Changes

• normalize Supabase Auth magic-link errors into user-safe API responses
• return 429 and Retry-After metadata for resend/rate-limit cases
• replace the previous generic 502 fallback with clearer 503 email delivery handling
• pass retryAfter metadata through the auth service
• add a 60-second resend cooldown to the login magic-link button
• add a 60-second resend cooldown to the sign-up magic-link button

Verification

• npm.cmd exec eslint app/api/auth/magic-link/route.ts lib/features/auth/auth-service.ts app/login/page.tsx app/signup/page.tsx
• npm.cmd run build

Notes

Supabase is configured with Minimum interval per user = 60, so the UI now mirrors that cooldown instead of letting users spam resend requests and receive confusing API failures.

Summary by CodeRabbit

• New Features
  • Magic link requests now enforce a cooldown period with a countdown timer displayed on the login and sign-up pages, preventing rapid repeated requests.
  • Enhanced error responses now include retry-after timing information to guide users on when they can attempt authentication again.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lab68dev-platform-1ds5	Ready	Preview, Comment	Jun 1, 2026 4:44pm

[supabase]

This pull request has been ignored for the connected project xafgcrldyuapvnimoler because there are no changes detected in supabase directory. You can change this behaviour in Project Integrations Settings ↗︎.

---

Preview Branches by Supabase.
Learn more about Supabase Branching ↗︎.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1e2e89e5-5b54-44d5-9e5e-1acce8b50526

📥 Commits

Reviewing files that changed from the base of the PR and between 621cf2c and 3f5fb91.

📒 Files selected for processing (4)

• app/api/auth/magic-link/route.ts
• app/login/page.tsx
• app/signup/page.tsx
• lib/features/auth/auth-service.ts

---

📝 Walkthrough

Walkthrough

This PR implements end-to-end magic-link request cooldown enforcement. The API route computes retryAfter for rate-limits and Supabase auth errors, the service layer propagates this value, and both login and signup pages enforce client-side cooldown timers with countdown UI feedback.

Changes

Magic-link request cooldown enforcement

Layer / File(s)	Summary
API cooldown and error normalization app/api/auth/magic-link/route.ts	Introduces MAGIC_LINK_COOLDOWN_SECONDS constant. normalizeSupabaseAuthError now returns retryAfter for cooldown-related, invalid-email, redirect-misconfiguration, and temporary delivery errors. Rate-limit rejection computes retryAfter from lock/reset timestamps and returns HTTP 429 with the value. Auth errors include retryAfter in JSON response body and conditionally add Retry-After header.
Service layer return type lib/features/auth/auth-service.ts	signInWithOtp return type extends to include optional retryAfter?: number. On unsuccessful API responses, retryAfter is extracted from the response when present.
Frontend cooldown UI and state app/login/page.tsx, app/signup/page.tsx	Both pages add MAGIC_LINK_COOLDOWN_SECONDS constant, cooldownSeconds state, and a useEffect that decrements the timer once per second. Submission logic blocks requests while cooldown is active with a countdown error. On successful OTP submission, cooldown is set to the constant; on failures with retryAfter, cooldown is set to that value. Submit button is disabled during cooldown and displays "Wait {cooldownSeconds}s" countdown label.

Sequence Diagram

sequenceDiagram
    participant User
    participant Frontend as Login/Signup Page
    participant Service as signInWithOtp
    participant API as /api/auth/magic-link
    participant Supabase
    
    User->>Frontend: Submit OTP request
    Frontend->>Service: signInWithOtp(email)
    Service->>API: POST with email
    API->>Supabase: signInWithOtp call
    alt Supabase error or rate-limit
        Supabase-->>API: error response
        API->>API: normalizeSupabaseAuthError<br/>compute retryAfter
        API-->>Service: { error, retryAfter }
    else Success
        Supabase-->>API: success
        API-->>Service: { success: true }
    end
    Service-->>Frontend: { success, error?, retryAfter? }
    Frontend->>Frontend: Set cooldownSeconds<br/>from retryAfter or constant
    Frontend->>Frontend: Decrement timer<br/>block new requests
    Frontend->>User: Show countdown + disabled button

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• lab68dev/lab68dev-platform#31: Extends the magic-link endpoint and service wiring introduced in that PR to propagate dynamic retryAfter values from Supabase auth and rate-limit errors.

Poem

🐰 Hop, hop, cool it down!
The magic link now waits with grace,
A countdown timer marks the space.
No rushing here—just breathe and try again,
When cooldown ends, your request takes flight. ✨

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-magic-link-delivery-ux

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}